Target IP: 10.10.56.145
Challenge Description:
Performing a port scan shows there are two TCP ports open on the target machine: SSH and HTTP, as shown above.
Doing an aggressive port scan against the open TCP ports returns the result above. From the scan above, the robots.txt contains interesting entries. I will start enumeration with the HTTP application on port 80.
I performed a VHOST scan using the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.wekor.thm" -u http://wekor.thm -fs 23 and obtained the interesting subdomain called site.
I modified my /etc/hosts file. It contains the entry above for this machine.
Port 80: HTTP (wekor.thm)
The webpage above is displayed for this web application.
From previous nmap scan, it identified the robots.txt. The entries above are included in this robots.txt file.
I notice only /comingreallysoon is accessible from the /robots.txt. The webpage above is displayed for this directory. The message above informs me to browse to /it-next.
And browsing to http://wekor.thm/it-next/ displays the website above.
Browsing to Shop and then Shopping Cart displays the webpage above. There is an input box that users can enter the coupon code. I tested this input box for SQL injection using the payload ' and got a hit, as shown above. The error message shown above means this application is vulnerable to SQL injection.
I tested the payload ' OR '1'='1' -- // and received the output above. There is a valid coupon with the code 12345. By the looks of it, there are three columns in total for this table. I tested the number of columns and found the payload 12345' ORDER BY 3 -- // works the best, as any bigger than three columns throws the error message Unknown column '4' in 'order clause'. And now I can enumerate the application further using this valid coupon code.
Using the payload 12345' UNION SELECT user(), database(), @@version -- //, I obtained more information about the target machine. The MySQL is being run by root@localhost, current database name is coupons, and 5.7.32-0ubuntu0.16.04.1 is the application version of MySQL.
Using the payload 12345' UNION SELECT table_name, table_catalog, table_schema from information_schema.tables -- //, I identified the different tables. The most interesting table I obtained is wp_users inside wordpress database, as shown above. Does this table contain sensitive information?
From previous knowledge, I know the different column names used in wp_users by Wordpress. I used this to craft the payload
12345' UNION SELECT user_email, user_pass, user_login from wordpress.wp_users -- //. And sending the payload gives me the crucial information about the different users of the Wordpress application users as shown above. I now have the emails, usernames, and passwords of the four different users.
I copied the password hashes of the four users and saved them in a file called hash on my machine. Then using john, I cracked only the three out of four password hashes as shown above. Maybe these credentials will become useful later? Time to find where the Wordpress application is now.
Port 80: HTTP (site.wekor.thm)
Browsing to http://site.wekor.thm displays the webpage above. The message above mentions there will be a website soon in two weeks. The username Jim is interesting.
Doing a directory search shows the /wordpress entry. I am guessing this is the website that was mentioned at http://site.wekor.thm.
And browsing to http://site.wekor.thm/wordpress/ displays the Wordpress webpage above.
I browsed to http://site.wekor.thm/wordpress/wp-admin/ to login, as I already have the credentials. I successfully logged in with the three credentials. However, the user wp_yura with the password soccer13 has administrator privileges as shown above.
Since this user has administrator privileges, I used the Theme Editor feature to upload my webshell. I replaced the 404.php file of the theme Twenty Seventeen with PHP Pentest Monkey, as shown above. And then I started a listener on port 8443 on my machine.
To activate the reverse shell connection, I browsed to http://site.wekor.thm/wordpress/wp-content/themes/twentyseventeen/404.php. And then I obtained a reverse shell connection with the session as www-data. Now I have a foothold on the target machine.
I obtained the credentials of the MySQL application. I logged into the MySQL application at port 5072 using the command mysql -u root -P 5072 -p, but I did not find anything useful here.
Running ss -tuln shows the active services on the localhost. The service running on port 11211 seems interesting. Doing a Google search for port 11211 gave me this useful article.
I used the command echo "version" | nc -vn -w 1 127.0.0.1 11211 from the previous article to obtain the version number. And I obtained the result VERSION 1.4.25 Ubuntu! This is perfect as the target machine seems to be running memcache.
Using the commands from this article, I managed to obtain the password OrkAiSC00L24/7$ of the user Orka as shown above. I managed to successfully elevate privileges horizontally from the user www-data to Orka by switching to user Orka via su and the new password.
Running sudo -l shows the interesting command above. This user has two interesting files in their desktop directory: bitcoin and transfer.py. The first file is a binary executable file. Running strings on this file contains the password password.
The script transfer.py contains the code shown above. This code looks a bit similar to the way the binary bitcoin executes. Maybe I can perform module hijacking?
I notice I can make changes inside /usr/sbin. This is where I create the malicious fake version of Python, as shown above. It contains /bin/bash. Then I made this file to be executable by changing its permission.
Then running the command sudo -u root /home/Orka/Desktop/bitcoin starts the application normally. After execution, it opens a bash shell with root privileges as shown above. Now I have root access on the target machine.
The user.txt flag is shown above.
The root.txt flag is shown above.